MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8c6705cd915f56910c6dd245b73c6363f218314642c18837c6a443116e22f38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8c6705cd915f56910c6dd245b73c6363f218314642c18837c6a443116e22f38
SHA3-384 hash: 0deea758d9252f4addfc67d79b5fb16f2d43dc8be86d7ee58c98dd2bad7ecbc3d621f38e525fce0d4d88b2520e923cf3
SHA1 hash: afdcfe2f9bf8b273300a502e9c619eb8b8050bc8
MD5 hash: 9fc8996ff8f9488b8eef8cb24de19a25
humanhash: fanta-winter-harry-magnesium
File name:9fc8996ff8f9488b8eef8cb24de19a25
Download: download sample
Signature AgentTesla
Create hunting rule
File size:630'272 bytes
First seen:2022-07-04 10:19:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:JiTNTsL2iNOevEr9KLIlfhN3Rj+g4UW2OCCa07Gg64j:J8u13vEcLIlfL3RjYsY7Gg
Threatray 18'326 similar samples on MalwareBazaar
TLSH T1E1D4E090B3627F72F03A67B7B88180882771A55D99E6C6298E9DB0DE30B57110CF5F27
TrID 72.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.4% (.EXE) Win64 Executable (generic) (10523/12/4)
6.5% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.4% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
256
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Win.Dropper.Formbook-9954360-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Сreating synchronization primitives
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/62c2bf12dd037e27032e8d66/reports/2a40cce4-22df-4b01-a7ed-2ea9ccdc414c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/145bbe21-5934-4772-b192-5ceb5d16a3c8
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1024087
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 656579 Sample: L877kkgYjT Startdate: 04/07/2022 Architecture: WINDOWS Score: 100 35 Malicious sample detected (through community Yara rule) 2->35 37 Multi AV Scanner detection for dropped file 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 8 other signatures 2->41 7 L877kkgYjT.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\hpYsmSWX.exe, PE32 7->23 dropped 25 C:\Users\...\hpYsmSWX.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp82D6.tmp, XML 7->27 dropped 29 C:\Users\user\AppData\...\L877kkgYjT.exe.log, ASCII 7->29 dropped 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->43 45 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->45 47 Uses schtasks.exe or at.exe to add and modify task schedules 7->47 49 2 other signatures 7->49 11 L877kkgYjT.exe 2 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 saath.org 43.224.137.92, 49770, 587 NETMAGIC-APNetmagicDatacenterMumbaiIN India 11->31 33 mail.saath.org 11->33 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->51 53 Tries to steal Mail credentials (via file / registry access) 11->53 55 Tries to harvest and steal ftp login credentials 11->55 57 2 other signatures 11->57 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f8c6705cd915f56910c6dd245b73c6363f218314642c18837c6a443116e22f38/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2022-06-30 20:10:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
21 of 39 (53.85%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ddhaxgzcx2wsegg3usfw46ggy7sdayumqwbra34njcdcfxcf44a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
115b57c25f8e7cb980b3f3282feab5d182024a7a71d7d021e1d2a0faa7bde518
AgentTesla
291ddd3ed10197399b9d1002f0f7aaddc6c930939a06e403b86e6db8e56da122
AgentTesla
3b95ba23682da35650b205c92fbe21feb06875d2954b6d9d49aa6c7541c89236
AgentTesla
3ccd77c1f438ad966df50216815ec83e15eaf1fe2bdeff07eaf1cb7d10ba4d1c
AgentTesla
484b47b1e8722e5aaf65a92d019bff1863697b3fc6a9453f3fb6ca698530cfd8
AgentTesla
6d683bd3a2a79763dfa70a69655ce558e947d4a455b26dc9de747b1d7ebb5921
AgentTesla
a87ccadf252efe6821ef107a828b42a8bc613bc6a7978fbeb0ccaecf09dceba6
AgentTesla
da96cdc377c7c7a72d609007f49eb0ef92b91671012f440f74576583f274b894
AgentTesla
eb548a89bf00397d18b926af72deaf6d96673c4f7df47f78462e2f5f7781bf8a
AgentTesla
fd4f0fc6b923156a4db28cd1cb57fd66118a99785315ac7ca7f11d4c5ac52933
AgentTesla
+ 18'316 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger spyware stealer suricata trojan
Link:
https://tria.ge/reports/220704-mc3qtsaee3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks computer location settings
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
suricata: ET MALWARE AgentTesla Exfil Via SMTP
Unpacked files
SH256 hash:
d398a09a71bf23f8249ff61b5fe6a08a5b6088b5c08b0afd0fb3d6953795ac8b
MD5 hash:
d1484e39977447834cd476fd0fb86c8f
SHA1 hash:
d446e684565393b8f25e81a1d94d113c3de80d10
Link:
https://www.unpac.me/results/a0b42ba3-a742-480c-8c9f-a4a1afa7d8b3/
SH256 hash:
0cb6aef1fa57d11408e47ae071485ef8f48c2982997b8d74b47a4151d85b978c
MD5 hash:
843aa6edf83bff7b61c6a5369ef41e95
SHA1 hash:
d1bfeec8eaac9a1dacf2f7062ce964d8e7d77085
Link:
https://www.unpac.me/results/a0b42ba3-a742-480c-8c9f-a4a1afa7d8b3/
SH256 hash:
5c0e141d27aade1fa8bcbf396de1281463fa0507e7bc4f3b203e66d6b267bd68
MD5 hash:
63dfadd790a0ac3187edb41a5fbcb72d
SHA1 hash:
6efbd22eaf6fb7f26772a8c11dde4ea643985917
Link:
https://www.unpac.me/results/a0b42ba3-a742-480c-8c9f-a4a1afa7d8b3/
SH256 hash:
16b9fc4700292684bae0ef2da4a4f4b393103771e93c0b48747df8a24af40d59
MD5 hash:
12ae0e4078e6e9da25181468d72b7ef4
SHA1 hash:
3f88feb096debc12d2f72bac4dfe7e799c7bbf36
Link:
https://www.unpac.me/results/a0b42ba3-a742-480c-8c9f-a4a1afa7d8b3/
SH256 hash:
94afe9d4616d3fa082a8e0daa35838346256a4906bead6a84719d3a305d51fc7
MD5 hash:
095379248e4750aed2a4b2d212b781e2
SHA1 hash:
24ddd2d75afdbcfd29399a2a714fd6613d523919
Link:
https://www.unpac.me/results/a0b42ba3-a742-480c-8c9f-a4a1afa7d8b3/
SH256 hash:
f8c6705cd915f56910c6dd245b73c6363f218314642c18837c6a443116e22f38
MD5 hash:
9fc8996ff8f9488b8eef8cb24de19a25
SHA1 hash:
afdcfe2f9bf8b273300a502e9c619eb8b8050bc8
Link:
https://www.unpac.me/results/a0b42ba3-a742-480c-8c9f-a4a1afa7d8b3/
Malware family:
AgentTesla.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f8c6705cd915/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f8c6705cd915f56910c6dd245b73c6363f218314642c18837c6a443116e22f38

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2253755/

Comments


Avatar
zbet commented on 2022-07-04 10:19:20 UTC

url : hxxp://lutanedukasi.co.id/wp-includes/b6sYLcgGvFxeRjN.exe